Linked by Thom Holwerda on Thu 5th Jan 2006 21:24 UTC
Windows Microsoft has officially released the patch that fixes the WMF flaw. The patch can be download individually here, but it is advised to simply use Windows Update. Yesterday, Microsoft said it would not release it until next Tuesday, but two (1 | 2) third party fixes were already available. And to make matters worse, Microsoft accidentally leaked their own patch to the Net yesterday.
Thread beginning with comment 82254
To read all comments associated with this story, please click here.
1 week??
by ZaNkY on Thu 5th Jan 2006 23:04 UTC
ZaNkY
Member since:
2005-10-18

That is so true, I plan on going around tomorrow to various people I meet during the course of my day and ask them: So what do you think about WMF?

See how many people will have a clue.....lol

and Thom:

I don't know exactly how long the vuln has been "known", but lets say one week.

7 * 24 = 168 hours

It takes probably an hour to write up a patch for this vuln. Please don't flame me for saying ONE hour. I'm sure it could be done in that time considering all the "unofficial" patches that have popped up and all those instructions to unregister a dll and stuff like that....doesn’t seem hard to me…. But let’s give MS the benefit of the doubt and say it takes longer.

bottom line is that the patch can be written in a day. Especially considering how critical it is and the "potential" for damage. next? TeStInG. How long can that possibly take? I would go as bold to say again a couple hours, possibly a whole day.

So we're looking at 2 days to write a patch, test it, and then distribute it. And do so on the first available moment (not next Tuesday! ;) ). 2 days = 48 hours. There’s 120 hours left there….

This is all considering that A multi-billion (perhaps trillion) dollar company, with near endless resources and motivation, who LOVES their customers and wants only to do good is involved.

If you notice, the first ones above apply to MS, but they get bleaker and bleaker ;)



To sum up, Thom: 1 week to write a patch for a vuln is ok. 1 week to write a CRITICAL patch that has near invincibility and affects nearly the entire world (sadly)? NOT OK.

--ZaNkY

Reply Score: 1

RE: 1 week??
by Thom_Holwerda on Thu 5th Jan 2006 23:16 in reply to "1 week??"
Thom_Holwerda Member since:
2005-06-29

There are more factors.

First, it they must decide on what is actually the best method for how to fix this flaw. All that must go through bureauocracy (it's a big company). Then, they actually do the fixing. Then comes the hard part. Testing.

They must make sure that their new patch breaks absolutely NOTHING. Imagine the damage if suddenly nobody could use Office anymore because the patch somehow affects Office? Or any of the other gazillion applications companies and individuals depend on each day? Do you really think they can test that in a few hours?

Look, I'm not saying that it can't be faster-- all I'm saying is that MS has to take a lot more possible user scenarios into account because they supply 95% of the computing world, instead of just a few percentages (very simply put).

Reply Parent Score: 5

RE[2]: 1 week??
by peejay on Fri 6th Jan 2006 14:26 in reply to "RE: 1 week??"
peejay Member since:
2005-06-29

They must make sure that their new patch breaks absolutely NOTHING. Imagine the damage if suddenly nobody could use Office anymore because the patch somehow affects Office? Or any of the other gazillion applications companies and individuals depend on each day? Do you really think they can test that in a few hours?

Would you rather Office and your other applications stopped working because of an early MS patch, or because your machines were compromised?

Convenience (like easy-to-guess passwords, not challenging the person walking in the door behind you, or relying on the hope that you won't be infected before a patch is issued so that your apps don't break) seems to be the greatest enemy to security measures.

Reply Parent Score: 1

RE: 1 week??
by thurston on Thu 5th Jan 2006 23:20 in reply to "1 week??"
thurston Member since:
2005-09-28

In you're idyllic situation, the patch would probably be exploited as fast as it was released. Allowing a day for testing would imply that the code was written perfect the first time and there were no errors, or bugs while the patch was being written. In the world of coding I live in, undertesting causes most of my problems.

A week is a quick turn around for a situation as critical as this in an environment as complex as Windows.

Reply Parent Score: 5

RE: 1 week??
by Celerate on Fri 6th Jan 2006 03:22 in reply to "1 week??"
Celerate Member since:
2005-06-29

"It takes probably an hour to write up a patch for this vuln."

Ok, I'm not fond of the long wait either, but consider this:

Microsoft has been around for a long time, their operating system too. It's fair to assume that they use code from at least as far back as the 90's, more likely some time in the late 80's for some parts of their software. That's code reuse for you, it's a good time saver and it makes sense to keep the code if it works rather than waste time replacing it (and if bugs are found later that doesn't mean all the code needs to be scrapped, just fixed). Now Microsoft has had employees come and go from the company since then, no doubt most of the ones working on the really old code aren't around any more, and if they are do you really think they'll remember something from five years ago, nevermind a decade or more ago? They would have a general idea based on what part of the OS is affected where the vulnerability is, but it would still take time to search through all that source code to find out where exactly they need to make their changes, and whether or not those changes would fix the problem entirely, or whether someone could find a way to get around those changes. So do you still think one hour is a good estimate? I'd figure they'd need a couple at least just to get the code fixed up, and then I'd give them a day or two to get it compiled and tested to make sure it's safe for the public before they release it. A week may be a bit much, but a a day or two isn't unreasonable when you have a company with very old code and only so many employees who can be dedicated to the task of fixing bugs and security holes.

Reply Parent Score: 2

RE: 1 week??
by Anonymous. on Fri 6th Jan 2006 16:26 in reply to "1 week??"
Anonymous. Member since:
2005-12-04

I don't know exactly how long the vuln has been "known", but lets say one week.
i've known about it since i was in high school, but it wasn't quite as serious back then because the windows picture and fax viewer didn't exist and everyone was still using netscape 4... of course no one expected anything bad to happen from opening an ms word document (which can contain embedded wmf images), so i was still able to play a few hilarious practical jokes on a couple of my friends...

Reply Parent Score: 1